ML Security PapersExposing and Defending Membership Leakage in Vulnerability Prediction Models
Yihan Liao 1, Jacky Keung 1, Xiaoxue Ma 2, Jingyu Zhang 1, Yicheng Sun 1
Published on arXiv
2512.08291
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
NMID reduces membership inference attack AUC from nearly 1.0 to below 0.65 while preserving the predictive utility of vulnerability prediction models
NMID (Noise-based Membership Inference Defense)
Novel technique introduced
Neural models for vulnerability prediction (VP) have achieved impressive performance by learning from large-scale code repositories. However, their susceptibility to Membership Inference Attacks (MIAs), where adversaries aim to infer whether a particular code sample was used during training, poses serious privacy concerns. While MIA has been widely investigated in NLP and vision domains, its effects on security-critical code analysis tasks remain underexplored. In this work, we conduct the first comprehensive analysis of MIA on VP models, evaluating the attack success across various architectures (LSTM, BiGRU, and CodeBERT) and feature combinations, including embeddings, logits, loss, and confidence. Our threat model aligns with black-box and gray-box settings where prediction outputs are observable, allowing adversaries to infer membership by analyzing output discrepancies between training and non-training samples. The empirical findings reveal that logits and loss are the most informative and vulnerable outputs for membership leakage. Motivated by these observations, we propose a Noise-based Membership Inference Defense (NMID), which is a lightweight defense module that applies output masking and Gaussian noise injection to disrupt adversarial inference. Extensive experiments demonstrate that NMID significantly reduces MIA effectiveness, lowering the attack AUC from nearly 1.0 to below 0.65, while preserving the predictive utility of VP models. Our study highlights critical privacy risks in code analysis and offers actionable defense strategies for securing AI-powered software systems.
Key Contributions
- First comprehensive MIA analysis on neural vulnerability prediction models, identifying logits and loss as the most informative signals for membership leakage
- NMID (Noise-based Membership Inference Defense), a lightweight defense combining output masking and Gaussian noise injection to disrupt adversarial membership inference
- Empirical evaluation showing NMID reduces MIA AUC from ~1.0 to below 0.65 across LSTM, BiGRU, and CodeBERT architectures while preserving VP utility
🛡️ Threat Analysis
Paper's core contribution is a comprehensive MIA analysis on VP models (evaluating attack success across architectures and output features) plus a dedicated MIA defense (NMID) that reduces attack AUC from ~1.0 to below 0.65.